from the don't-let-them-near-technology dept

There have been a couple of stories covering the fact that the South Carolina Supreme Court has ruled that reading someone's Gmail does not violate the Stored Communications Act, a part of ECPA -- a law we've written about a number of times for being completely out-of-date. Orin Kerr has a good breakdown of the details, if you want to read them. What struck me most, however, is how this case is a near perfect example of the kind of mess we get into when politicians try to regulate technology. Technology changes much, much, much faster than the law, and because of that, you get very silly results. The key issue here is that the Stored Communications Act is now found in 18 U.S.C. 2701 -- and it defines the offense as occurring when someone "obtains, alters or prevents" access to communication "while it is in electronic storage." Now, for the purpose of the law, "electronic storage" is defined over in 18 U.S.C. 2510, with the relevant definition noting:

“electronic storage” means--
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;

Got that? It must have seemed reasonable at the time it was written, but it makes little sense these days, and is apparently so misaligned with reality today that this one single case interprets that definition in three different ways, and exactly none of those ways agree with a 9th Circuit ruling in Theofel v. Farey-Jones. There's disagreement over the meaning of "backup" in part (B) in particular. Is that backup for the user? Or for the service provider? And then, how do you figure out what is or what is not backup? If a person reads his or her Gmail account, then the message was copied to his or her local machine inside the browser. Thus, it seems reasonable to argue that the copy that remains on the server is a backup copy. But two of the judges in this case argued that because the recipient had not "downloaded" any other copies of the message to store, then the ones on the server were not "backups." This makes little sense because copies were downloaded, but many non-technical people don't understand how browsers really work.

Other judges focus on whether or not your webmail account is really "backup" for the ISP. Either way, the end conclusions: webmail is not considered "electronic storage" under the law for the purpose of the Stored Communications Act. While accessing someone's email can (and likely does) still violate other laws, the very law that most people would probably think most directly applies, almost certainly does not.

The reality is that, when it was passed, back in 1986, it probably seemed to make sense that "stored communications" would only be done for backup. While there were networked client/server type setups at the time, it's doubtful that the folks who wrote the law could have fathomed something like webmail or other online forms of communication. If we're talking about "stored communications" today, it seems ridiculous to have it not cover web-based mail systems or social networks. But the law doesn't seem to support that view -- because the law is incredibly out-of-date. But, of course, the problem with fixing the law is that lawmakers will, again, have trouble figuring out where we'll be just a few years out, and the law may either fail to cover what it thinks it covers or (perhaps worse) cover stuff that should be perfectly legal.

And this, of course, is what we fear when it comes to politicians meddling in technology. Even when they have the best of intentions, technology changes rapidly -- and old and obsolete definitions get left in the law and can create problems or situations that make very little sense. If Congress were able to clean those up quickly, perhaps there wouldn't be a problem, but Congress isn't known for fixing real problems quickly. We've been hearing talk of fixing ECPA for years, and it seems unlikely to happen for a while.

and, as stated, yet again, bloody old fools are not ruling over the real issues, simply because they dont understand the real issues or today's technology. although there is no way for the law to keep abreast of technology, it is no excuse for judges to not update themselves with the latest technology, the results of previous cases using the same technology, use what the law says atm and also apply some common sense. i do appreciate the last thing is probably the most difficult, given their age and the nature of the technology used

"this, of course, is what we fear when it comes to politicians meddling in technology. Even when they have the best of intentions, technology changes rapidly ..."

Funny, I think one can draw almost precisely the opposite conclusion from ECPA. The law was drafted 27 years ago - when the online world for most of your readers (who were alive) consisted of 300 baud modems connecting BBSes. The technology has changed dramatically, so it actually is surprising just how resilient, and how applicable to new technologies, ECPA has turned out to be.

ECPA basically provides heightened statutory protections for communications in transit. For communications and other data that have come to rest - they've already been delivered to their recipient, and are now being store din the cloud for convenience - it provides somewhat less protection, but still more than if you stored the same things on paper with a storage company. Is it difficult to fit things like Gmail into ECPA's framework? Not really. It's possible to draw bright line rules with all sorts of "new" technologies (even though today's cloud computing looks a heck of a lot like the client-server model circa 1986). The difficulty is agreeing on where we should draw those bright line rules. That's illustrated by the divergent court interpretations of ECPA in the context of these "new" technologies, but it doesn't necessarily seem to be the fault of ECPA's language or the 1986 Congress.

And it seems to me that your critique of ECPA isn't so much that ECPA's language is so outdated that it can't be applied to new technologiesm, but rather you don't like the distinctions ECPA draws (between in transit data and stored data).

Does ECPA need updating? Might we (collectively, as TD readers or as a country) want to draw the lines a little differently, to provide higher statutory protections for data stored in the cloud? Sure. Or at least maybe. But compare ECPA to other tech-related laws from the 80s (like anything regarding television) and by comparison ECPA seems like a paragon of forward-looking technology-neutral lawmaking.

"If a person reads his or her Gmail account, then the message was copied to his or her local machine inside the browser. Thus, it seems reasonable to argue that the copy that remains on the server is a backup copy. But two of the judges in this case argued that because the recipient had not "downloaded" any other copies of the message to store, then the ones on the server were not "backups." "

Actually, you don't really download to your browser, because your browser creates at best a cache copy of the email, but doesn't actually really retain it. If you downloaded the email to a mail program that actively downloaded the full email, headers and all, using smtp, and then instructs the server to delete the stored message from the server because it's received, then it is in fact downloaded.

Otherwise, the message isn't downloaded, it's only viewed. For those users who surf with "delete cache when I close the browser" or who do not use page caching at all, you would create a standard which they would not live up to. A browser is a viewing software, not something that specifically downloads content.

Put another way: If you lose your connection to the internet after closing your browser (and having it automatically clear the cache) would you have a copy of the email? Nope. So you didn't download it. You viewed it in an interactive session.

The technology is really simple, unless you try really hard to play word games with it.

Re:

"For those users who surf with "delete cache when I close the browser" or who do not use page caching at all"

...and for those who don't? It suddenly becomes more complicated when a simple browser setting can change the legality of an action. Especially when most browsers have plugins that are specifically made to store webmail sessions offline.

"The technology is really simple, unless you try really hard to play word games with it."

Re: Re:

Re: Re:

Not really. At best, you have a cached copy, which may or may not be complete, but which was not a true download, as you never instructed the mail server to delete the pending message for you.

Gmail in a browser is possibly the best example: you never download messages, they stay on the gmail server, and you access them via an interactive session. You never instruct gmail to actually remove the message from the server (it just sits there read) and as such, it isn't a backup, it's the original.

Even if you get your gmail on your smartphone (android), you are at best making a copy of the messages, because you never instruct gmail to delete them to rely solely on your own device storage.

“electronic storage” means--
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;

this is a perfectly valid and legalised definition and is clearly able to be applied to be exactly what it reads.

an email sitting on a POP server is not a backup of another email, it IS THE email, it is in the process of electronic communications.

even if you have that information 'stored' my your email ISP, does not take away from the fact that it is 'in communardio', the emails stored on your server are the originals, in constant transit, in electronic communications, if you wish to make a backup of those files you would have to copy those files (from the originals)..

ie, the originals are not, and cannot be, by definition (legal or otherwise) be the backups also.

the legal definition used by the court seems to understand that technology quite well.. the author of this article not so much.

Laws dont have to change with technology advancement, laws in generally in place for things involving people and property and money, human rights, and so on.

When the transistor was invented do you think the politicians rushed in lots of new laws ?? what kind of laws.

This case, does not revolve around technology, it is a case where someone wants to read someone else documents (mail in this case).. it's about people, not technology.

what if the next time you log onto your hotmail or gmail account you find that your inbox is empty, your deleted mails folder is empty..

you ring up your isp or email provider and say "can you recover those files from your backup ?? "

they will probably say, "what is in your inbox is what you have".. your inbox is not a backup.. if that filespace is wiped clean they are gone..

Put another way: If you lose your connection to the internet after closing your browser (and having it automatically clear the cache) would you have a copy of the email? Nope. So you didn't download it. You viewed it in an interactive session.

Then why is it that when somebody "views in an interactive session" a YouTube video, the law considers it to be a downloaded copy that potentially infringes copyrights?

The way I see this rulling, it effectively makes it legal to read it, as long as you do not attempt to destroy or alter it.

I think this could have implications far beyond E-mail. How long now until someone attempts to break in and steal the text of TPP and CETA. The way I see it, this ruling also makes it open season on that. I would imagine the the people running the computers that have the TPP and CETA texts have probably figured that out, and are likely taking steps to beef up security on those machines.

You watch, there will be attempts to access and leak TPP and CETA texts, as a result of this runing. This ruling effectively declares "open season" on the purloining of data from any computer, as long as you do not attempt to alter or destroy it.

I would not be surprised if the next Congress, in January, puts some kind of badly-written and misguided bill regarding this, on the fast track to passage.

You watch, there will be either a CISPA 2.0 or SOPA 2.0 that attempts to address this issue, draconian, and very badly written.

Re: Re:

lol, i'm sure the judges would say the same thing about the technology. "if those damned techies didn't intentionally make it so hard to understand, then we wouldn't assume they're hiding something, and be forced to break their toys"

Re: Re: Re:

Not sure more intelligence is needed, but maybe fewer laws. If it is fraud in the real world, then it is fraud on the internets. We don't need a new law to cover the internets if the original law against fraud was written in a way that means of transportation were irrelevant.

If mail is protected, then all mail, including any form of electronic, holographic, brain to brain transmissions when we learn to do it, etc. should be covered without all this quibbling.

Re:

For communications and other data that have come to rest - they've already been delivered to their recipient, and are now being store din the cloud for convenience

But you see, there is literally no difference between "in transit" and "stored" when it comes to these types of systems. That's what's changed. The law assumes that there is a difference, and that the difference can be easily ascertained. That's what makes the law out of date.

Re:

And it seems to me that your critique of ECPA isn't so much that ECPA's language is so outdated that it can't be applied to new technologiesm, but rather you don't like the distinctions ECPA draws (between in transit data and stored data).

Exactly. When the line drawn isn't the one he wants, it's the stupid-old-outdated-law-and-the-corrupt-imbeciles-in-Congress's fault. Those idiots are never right--except when they do get something right, but then, that's usually just a mistake.

All I know is that this country sucks and I hate everything about it and I'm going to complain about every little thing ever! Oh wait, that's not me. That's Techdirt.

Re: Re: Re:

Sonny, you see, the cache is located in your hard drive, at best in your memory if you are tech savvy and knows how to force Windows/Linux to use the RAM instead of the HDD as cache. So yes, you downloaded a copy to your computer. I do believe in the future the connections will be fast enough so only the bare minimum will need to be stored locally but so far that's where we are at.

The copy on your smartphone usually remains for a while and is accessible without any connection. Maybe the attachments aren't downloaded upon opening the message (and it's dependent on the app you are using).

Yes you can instruct gmail to delete the e-mail upon downloading it. In a sense if you are using a specific software to download the messages permanently to your computer you can instruct Gmail to keep the messages as backup. Also, if you are using imapi, your gmail account will act as a shadow copy of what you do in your hard drive. If you delete a message it will delete a message on the server, if you tag it in your computer it will tag on the server.

You do not know how browsers function. Nor I fully understand how they work but I certainly know the basics better than you.

Re:

I think it's open to interpretation. If you downloaded the message to your computer but decided to leave them on the server then they are a backup. You see, this is the problem with the law, what might have been backups back then can now be the actual copy of the file. Heck, I know people that have multiple e-mail accounts and use one of them to keep a copy of the messages just in case (I'm looking at myself).

A Little OT

the offense as occurring when someone "obtains, alters or prevents" access to communication "while it is in electronic storage."

So...an internet outage is illegal?

If I am reading my Gmail and all of the sudden my internet goes out, my ISP is preventing me from accessing communications on Google's server. The communication exists in intermediate storage on Google's server until I decide what to do with it, and while this storage time can be indefinite (as long as Google keeps the service running) it can still be defined as intermediate as I can remove it at any time. This means that my ISP is in violation of the law as it is written.

Re:

Actually, you don't really download to your browser, because your browser creates at best a cache copy of the email, but doesn't actually really retain it.

There is nothing about retention. But a cache copy is downloaded just as well. So... my original statement stands.

Put another way: If you lose your connection to the internet after closing your browser (and having it automatically clear the cache) would you have a copy of the email? Nope. So you didn't download it. You viewed it in an interactive session.

You still downloaded it. What happens after is of no concern to the question of whether or not it was downloaded.

The technology is really simple, unless you try really hard to play word games with it.

>two of the judges in this case argued that because the
>recipient had not "downloaded" any other copies of the
>message to store, then the ones on the server were not
>"backups."

I do in fact download my gmail to store it. I figure a lot of other people who don't trust that gmail is forever and some bug won't eat their account do this too (it happened to my hotmail). Clearly the judges are ... not thinking clearly.

Re: Re: Re: Re:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated...

What about that is so hard to understand? They were referring to your personal documents and other personal effects. I recognize that is not the issue in this particular case, but is it so hard to do the same with other laws? If it's illegal to break into someone's home and read their letters, then it's illegal to break into their account and read their email.

Re: Re:

Well, yes, one can look at in-transit and stored data and say there's no difference. And on some level, that'd be correct. After all, they're both just bits being represented magnetically or optically somewhere. But on a different level of abstraction, they are meaningfully different. The law makes these sorts of distinctions in other areas all the time. In the context of money: some types of income are taxed differently than others; some monetary transactions are allowed, while others aren't. Even though it's all just money. In the context of speech: it may be perfectly legal to say "I'm going to kill you!" in some circumstances (on stage, or in jest), and not in others (where the words are an actual threat).

Courts could conclude that communications intended for a particular recipient are "in transit" until that recipient has actually received and read/viewed/listened to that message. Or they could conclude that a message is in transit until the recipient has had an opportunity to read (or delete) the message, without needing to determine whether the message actually has been read or understood. (The analogy would be to situations in corporation or contract law where a perosn is deemed to have constructive knowledge of a fact even if it's possible they were not actually aware of the fact.)

The point is that the dichotomy between in-transit and stored information isn't a fundamental flaw with ECPA. Mike seems more concerned that (a) judges have differing views about how this standard ought to apply to novel fact patterns, and (b) more fundamentally, this framework doesn't provide enough privacy protection for data deemed to be no longer in transit. But "a" is going to be a problem with pretty much any law that gets applied to novel technologies by judges of varying familiarty with them. And if "b" is the problem, then it's not a problem inherent in ECPA because of its structure or age - it's a result of Mike being generally more keen on strong privacy protections than Congress or the courts. (Not that that's a bad thing, Mike. I'm just sayin'...)

But haven't laws always involved some sort of technology?

Radio was once the latest thing. Electricity was once the latest thing. Cars were once the latest thing. X-rays were once the latest thing.

Seems if you want to avoid writing regulations because you might stumble upon changing technology, you'd banish all regulations. I realize that some people want that, but when you have an unregulated stock market, unregulated banking system, or unregulated health care system (I'm thinking of people who have died recently from meningitis after treatments from supplies from a barely regulated pharmacy) sometimes things get out of hand.

Look at the history of asbestos. People were dying from asbestos-related cancer for decades before something was finally done about it.

Re:

Downloading is NOT just the permanent storage of data but also the downloading of the ones and zeros that:
* are retained in your computers memroy for programs to function
* are saved into a cache, whether deleted after the fact or retained for prosperity
* are transferred into a program so that you can read the pretty letters on your screen.

In other words under your strangely worded Act anything transferred AT ALL is downloaded.

It doesn't matter if it is deleted after you have read it automagically or not. The actual act of initiating the transfer to your machine for ANY reason is the instance of the download in question under this act.

The technology of what you are doing might be simple but sadly the Act does NOT talk about the technology and is absolutely NOT simple.

Re: Re:

Re: Re:

All I know is that this country sucks and I hate everything about it and I'm going to complain about every little thing ever! Oh wait, that's not me. That's Techdirt.

This is my main problem with you AJ. You make asinine assumptions that you insist must be true and then you simply refuse to consider any possible alternative explanation. It's maddening.

The truth is I love this country and think it's great, but making some bad decisions that will harm its competitiveness going forward, as well as its ability to innovate and grow, while encouraging the kind of creativity we need to see.

What you falsely judge as "hate" and "complaints" are, instead, concerns and pushing for improvements on where things are going off base.

And yet, you seem to not comprehend these basic facts. Instead, you come here and you attack (and whatever happened to your bullshit promise not to post here until next year?!?) and you vandalize the comments.

Re: But haven't laws always involved some sort of technology?

Hmm, I think the best way to handle the evolution of technology, and the law's interaction with it, would be two-fold:

1. Have set limits, say, 5 years, for a tech focused law to be in effect. At the end of the term, it can be extended, but has to go through all the same processes as the original bill went through(with several additions), allowing it to be 'updated' to compensate for changes in technology.

As a part of this process there would be a required study(or preferably more than one, from neutral sources) conducted to go over and assess the effects, both positive and negative, that the bill caused while it was active, as well as seeing how effective it was at achieving the specific goals that was set for it.

If it doesn't make it through the process again, then it automatically is phased out and is no longer a law.

2. Have laws/bills aimed more at the generalities than the specifics.

So in a case like this, instead of having a bill stating that the authorities aren't allowed to use methods A, B, and C to break into, and read an individual's personal correspondence without a warrant, just have it say that they are not allowed to do it using any method without a warrant.

Re: Re:

Report to avoid censorship:

And it seems to me that your critique of ECPA isn't so much that ECPA's language is so outdated that it can't be applied to new technologiesm, but rather you don't like the distinctions ECPA draws (between in transit data and stored data).

Exactly. When the line drawn isn't the one he wants, it's the stupid-old-outdated-law-and-the-corrupt-imbeciles-in-Congress's fault. Those idiots are never right--except when they do get something right, but then, that's usually just a mistake.

All I know is that this country sucks and I hate everything about it and I'm going to complain about every little thing ever! Oh wait, that's not me. That's Techdirt.

Re: Re: Re: Re:

When free speech is interesting for you then you call it into debate, when it isn't you dismiss it as piracy apology. Rather telling. There are plenty examples of opposing opinions in the comments that don't derail or vandalize the thread because they either discuss in a civilized way with proper argumentation often based on evidence, not some mindless personal attacks.

In the end you are the ones making fools of yourselves which is just pitiful.

Re: But haven't laws always involved some sort of technology?

"Seems if you want to avoid writing regulations because you might stumble upon changing technology, you'd banish all regulations"

That's not entirely the point here, I don't think. I wouldn't read it as saying "we shouldn't regulate new technology", but rather "technology changes at a rapid rate and the regulations need to keep pace".

That is, it's the speed at which congress reacts to change that's the problem, not the fact that the regulations exist to begin with. Of course, there's likely to be other types of unintended consequences if the rate of change was too fast, but clearly the current situation needs work.

Re: Re: But haven't laws always involved some sort of technology?

I wouldn't read it as saying "we shouldn't regulate new technology", but rather "technology changes at a rapid rate and the regulations need to keep pace".

There's a paper by economist Paul Romer that addresses this. Here's a bit of a summary and you can find a link to the paper itself.

Romer on rules - NYU Stern Economics: "Rules aren’t 'one and done.' As the world changes, the rules need to change with it. Advances in technology and globalization have made this more difficult in two ways. One is that the pace of innovation requires more rapid change. The other is that the scale is so large that traditional social mechanisms for controlling behavior don’t work as well — and changing more formal systems is harder to do. ...

"Principle-based systems work better in some settings. His example is the FAA, which 'approaches its task of ensuring flight safety with rules that specify required outcomes but that are not overly precise about the methods by which these outcomes are to be achieved,' … Examiners have 'a large measure of flexibility' but 'are held responsible for their decisions.'"

Re: Re: Re:

But on a different level of abstraction, they are meaningfully different.

On that level of abstraction, the difference is entirely imaginary. We make it up. Therefore, it's an artifice. Your paragraph on the various things that the courts could conclude pretty much demonstrates this.

That courts need to invent a difference just to make it possible to apply existing law, then that tells me that the existing law is not really appropriate for this circumstance.

The point is that the dichotomy between in-transit and stored information isn't a fundamental flaw with ECPA.

I'm not saying that the ECPA is flawed. I'm saying that it is not appropriate to this variant of technology. It is obsolete in this context.